Case : ASA Self-signed certificate for WebVPN

arianto.wibowo · ‎12-21-2015

Hi All,

I have a case with self-signed certificate of ASA.

Based on tutorial in this forum, I applied this config :

1. Prepare your ASA:

hostname vpn

domain-name mydomain.com

2. Get to creating the certificate:

crypto key generate rsa label sslvpnkeypair modulus 1024

crypto ca trustpoint self

enroll self

fqdn vpn.mydomain.com

subject-name CN=vpn.mydomain.com

keypair sslvpnkeypair

crypto ca enroll self noconfirm

3. Apply the new certificate:

ssl trust-point self outside

4. Save the config:

write mem

But unfortunately, I'm still having problem with the certificate.

Below is the screenshot.

Any idea for this case ?

Thanks in advance.

Marvin Rhoads · ‎12-22-2015

This is normal.

Your browser will not automatically trust certificates signed by the ASA.

If you download the certificate (using the browser tool) and install it locally in your computer's trusted root certificate authority store (and the fqdn you used resolves to the ASA interface), your will no longer get that message.

arianto.wibowo · ‎12-22-2015

Hi Marvin,

thank you for your feedback.

After I traced the log file, I found the message "Device selects trust-point ASA-self-signed for client outside:"

and found this answer :

https://supportforums.cisco.com/discussion/12722681/cisco-asa-getting-temp-cert-device-selects-trust-point-asa-self-signed-client

This case is solved.